AV & EDR Enumeration
Table of contents
Vulnerability
Once authenticated on a Windows host, even low privileged, you can enumerate running antivirus engines and EDRs.
Prerequisites
- Low privileged access to the targeted host.
Exploit
Following commands can help you to enumerate antivirus protections on a Windows host.
# With WMIC through cmd.
wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct
# With PowerShell.
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
# Manually looking for software in running services.
Get-Service | Select-Object -Property * | Select-String SentinelOne
If Windows Defender is running, take a look at how to bypass it.
# Check Windows Defender status.
Get-Service WinDefend
You can also use EICAR anti malware testfile. Most of market products are designed to trigger this harmless file. Just download it, drag and drop on the targeted host (Windows or Linux) and wait to see if something happen (file is deleted, alert is triggered, etc).
Useful links
- EICAR: European Institute for Computer Anti-Virus Research.